Access Denied retrieving User Profiles

Access Denied retrieving User Profiles

Since the release of the Mavention Profile Completeness we deployed it into several of our projects where it all went well, it even resulted in some updates pushed into the App. Yet our last project we encountered an small error that took me a while to comprehend. At some point the app just stopped working for some users, while others would still be able to see their progress. The strange thing was that the app would show an ‘Access denied’ on retrieving the User Profile.

Having an access denied for some users while others didn’t receive that message put me off at first. The strange thing was that even with a simple REST query to retrieve the User Profile (/_api/SP.UserProfiles.PeopleManager/GetMyProperties) it resulted in an access denied. So I made a ticket for MS Support but even with a technician we couldn’t figure out what went really wrong, so we ended up deleting the user profile that had the problem and recreated it. With the new profile all the errors where gone so we assumed that it was a small glitch in our User Profile self, until a few days later the error popped up again…

So after a bit more investigation we found out that one of the properties that was in the User Profile was the problem. Once that property was filled with info the app or a REST query that retrieved that profile would throw a nice access denied error. After fiddling a bit more we figured out that it had to do with a Termstore field, so checking the Managed Metadata Service we found the issue; a reusable term that reused a Term Set that was not configured with the ‘'Available for Tagging’ checkbox. As Lucy pointed out in Retrieving Managed Navigation with CSOM having that checkbox checked is pretty important, and will throw an error if you try to retrieve it without it selected.

Now as we where running it all in Office 365 the client object model and REST would retrieve an access denied when they tried to retrieve the term for that user, and then drop the stacktrace and just show the title of the error, an access denied, and serve that to the app. So the app would show you an access denied on your User Profile request while the real access denied happened somewhere else in our case the managed metadata service.

Bottom line: If you are running an app in Office 365 and you do get something like an access denied make sure its not some other part that throws the error and not serving you a stacktrace. 

Leave a Reply